In the evolving state of cybersecurity, financial institutions grapple with the challenge of safeguarding their digital and financial assets against cyber threats. Cyber insurance has emerged as a critical component of risk management strategies. However, the complexities surrounding these policies, particularly regarding coverage in the event of a breach, can leave many organizations vulnerable. Drawing from the experience of The National Bank of Blacksburg vs Everest National Insurance and our observations at Finosec, this blog dives into the nuances and risks of cyber insurance policies.
The Intricacies Unveiled: National Bank of Blacksburg’s Experience
Several years ago, National Bank of Blacksburg suffered two significant cyber intrusions. These attacks, initiated through phishing emails, led to substantial financial losses totaling over $2.4 million. These incidents, enabled by phishing emails, compromised the bank’s computer systems allowing cybercriminals to illegally siphon funds, resulting in losses over $2.4 million. Initially, the bank filed a claim under their Computer & Electronic Crime Rider of their insurance policy; believing to be covered for approximately $2.3 million. However, in a complex twist of events, the insurance provider later reclassified the coverage under the bank’s Debit Card Rider. This rider had a drastically lower coverage cap of $50,000. The insurance company’s reevaluation resulted in a staggering difference of $2.25 million less than the amount NBB believed was covered. Despite the possession of a Computer and Electronic Crime Rider designed for such incidents, the insurance provider limited the bank’s claim citing specific policy exclusions, sparking a legal challenge that highlights the critical need for a thorough understanding of insurance policies and the coverage they offer in the wake of cyber-attacks. Despite the subsequent legal action and focus it brought on cybersecurity insurance, there have not been any significant changes made to policies offered by insurance companies.
A Closer Look at Cyber Insurance Challenges
The bank’s ordeal and other similar incidents illuminate a growing and concerning trend: insurance companies operate with the goal of maximizing profitability and may employ various strategies to minimize payouts. This realization prompts a need for a thorough review of insurance policies, coverage, and documentation by financial institutions. In fact, the FFIEC put out a joint statement with the FDIC, Federal Reserve, and NCUA, on cyber insurance. In this statement, the regulators highlight key considerations, including thorough due diligence to understand the cyber insurance policy’s scope, terms, exclusions, and costs. It is vital for institutions to ensure that cyber insurance renewals and coverage reviews remain consistent with evolving cyber risks and fit within their overall business and risk management strategies. I As we have continued to enhance our cyber insurance review module within Governance360, we have consistently seen changes in terminology that would impact coverage for a bank; reinforcing the need to focus on terms and exclusions within your policies.
The Importance of Accurate Answers to Coverage Questionnaire(s)
A pivotal factor in the claims process is the accuracy of the information provided by businesses when securing insurance coverage and the questionnaire for coverage. Cases where coverage has been denied have typically resulted because of discrepancies in the reported security measures.
We have seen a common trend post-breach and insurance claim, where the insurers will ask for governance documentation referenced in questionnaire answers; often as a way to justify a lower payout. In particular, we have seen a couple of common questions that add risk for non-coverage during the cyber insurance application process:
“Does the Applicant restrict user rights on computer systems such that individuals (including third party service providers) have access only to those areas of the network or information that is necessary for them to perform their duties?”
This question underscores the need for a policy of least privilege, where user rights are restricted to the bare minimum necessary for individuals to fulfill their job responsibilities, but with banking applications and the access reporting available, the realistic capability of an institution managing to least privilege without user access reporting software is a daunting task. If the insurer feels the institution did not appropriately manage their user’s access and therefore left themselves vulnerable to a breach, it is yet another reason they may find to not pay full coverage.
Another example of a question-answer that can be problematic is whether the insured has a Chief Information Security Officer (CISO). While most, if not all, institutions have an Information Security Officer (ISO), many do not have a CISO. While human nature is to say yes to the coverage question, in this example there is a difference in expectation of authority and independence with a CISO vs an ISO. Our recommendation is to respond with more details within the questionnaire, describing exactly what is in place. Having more detailed answers will give your team the ability to reduce the risk of claims being denied in the future.
In the context of insurance coverage, the questionnaire for coverage and an institution’s answers, serve as a litmus test for the organization’s insurance coverage risk. It implies that insurers expect you to implement stringent access controls and to have a clear record of who has access to what within your network. Insurers may use your answers to the coverage questions to limit their liability in coverage after a breach. A ‘Yes’ answer requires evidence, and in the event of a breach, you must be able to demonstrate proof.
Governance and Validation: A Proactive Approach
The challenges faced in accurately completing insurance questionnaires emphasize the need for a proactive governance strategy. Questions regarding the restriction of user rights on banking systems to necessary individuals underline the complexity of affirming compliance. This complexity necessitates a robust mechanism for tracking and validating access, ensuring that the organization can confidently attest to its adherence to policy stipulations.
Moving Forward: Ensuring Robust Coverage and Compliance
The challenges of insurance coverage hit home for me personally. Over the last couple of years, my home was hit with a large hail storm. This storm caused significant damage, and all the homes in my neighborhood had their roofs replaced by their insurance company except for ours. We had to fight with our insurance company, by hiring an independent company to review the damage. Fast forward, we were able to get the roof replacement covered, but this experience highlights that insurance companies look to limit their payouts to minimize risk exposure and maximize profits. Cyber insurance is no different, and the broader implications for cyber insurance policyholders emphasize the critical need for:
- Deep understanding of cyber insurance policies, paying close attention to the specifics of coverage and exclusions, and documentation of your annual cyber insurance review.
- Comprehensive and accurate documentation during the insurance application process, ensuring that all security measures are correctly reported and validated.
- Robust cybersecurity practices, including effective, comprehensive user access reporting, to manage access to the least privilege
Finosec’s Governance 360 platform allows institutions to validate Information Security and Cybersecurity Governance, including the modules Cyber Insurance Coverage and User Access Reporting.
